[New post] 100 Days of YARA – Day 14: shc Generic Shell Script Compiler

Daniel posted: " shc compiles shell scripts into standalone ELF executables. While this software is not inherently malicious, it can save a lot of time if analysts are able to quickly identify samples built with this tool. The shell script contents of shc-compiled bin" Respond to this post by replying above this line New post on DMFR SECURITY 100 Days of YARA – Day 14: shc Generic Shell Script Compiler by Daniel shc compiles shell scripts into standalone ELF executables. While this software is not inherently malicious, it can save a lot of time if analysts are able to quickly identify samples built with this tool. The shell script contents of shc-compiled binaries are protected with ARC4 encryption. This makes shc a popular choice for administrators attempting to mask the contents of scripts that contain secrets. Earlier versions of shc were able to be decompiled with UnSHc: https://github.com/yanncam/UnSHc The following Yara rule identifies samples built with shc: rule shc { meta: description = "Compiled with generic shell script compiler (shc)" reference = "https://github.com/neurobin/shc" decompiler = "https://github.com/yanncam/UnSHc" strings: $ = "=%lu %d" $ = "%lu %d%c" $ = "%s%s%s: %s" condition: uint32(0) == 0x464c457f and all of them } YARA Rules Index Daniel | January 2, 2022 at 10:00 am | Tags: ARC4, ELF, shc, yara | Categories: 100 days of Yara | URL: https://wp.me/p8aFuC-2fg Comment    See all comments    Like Unsubscribe to no longer receive posts from DMFR SECURITY. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://dmfrsecurity.com/2022/01/02/100-days-of-yara-day-14-shc-generic-shell-script-compiler/ Thanks for flying with WordPress.com